A crucial XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite characteristic is actively being exploited, doubtlessly by the Sednit hacking group. Learn the way this flaw permits attackers to compromise consumer classes and why speedy patching is essential.
A brand new safety weak spot has been found within the Zimbra Collaboration Suite (ZCS), a well-liked e-mail and collaboration platform. This challenge, labeled as CVE-2024-27443, is a sort of cross-site scripting (XSS) flaw that might permit attackers to steal data or take management of consumer accounts.
How the Flaw Works
The issue lies particularly throughout the CalendarInvite characteristic of Zimbra’s Basic Net Shopper interface. It occurs as a result of the system doesn’t correctly examine incoming data within the Calendar header of emails.
This oversight creates a gap for a saved XSS assault. This implies an attacker can embed dangerous code right into a specifically designed e-mail. When a consumer opens this e-mail utilizing the basic Zimbra interface, the malicious code runs routinely inside their net browser, giving the attacker entry to their session. The severity of this vulnerability is rated as medium, with a CVSS rating of 6.1. It impacts ZCS variations 9.0 (patches 1-38) and 10.0 (as much as 10.0.6).
Widespread Publicity and Lively Exploitation
In keeping with Censys, a cybersecurity insights agency, as of Thursday, Could 22, 2025, when the unique report was printed, a major variety of Zimbra Collaboration Suite cases had been uncovered on-line that might be susceptible.
Censys noticed a complete of 129,131 doubtlessly susceptible ZCS cases globally, with most present in North America, Europe, and Asia. A big majority of those are hosted inside cloud providers. Moreover, 33,614 on-premises Zimbra hosts had been recognized, usually linked to shared infrastructure.
The vulnerability was formally added to CISA’s Identified Exploited Vulnerabilities (KEV) catalogue on Could 19, 2025, confirming it’s actively being utilized by attackers.
Potential Perpetrator?
Safety researchers from ESET have steered {that a} well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), is perhaps concerned in exploiting it. ESET’s researchers suspect that the Sednit group might be exploiting this flaw as half of a bigger scheme known as Operation RoundPress, which goals to steal login particulars and keep entry to webmail platforms. Whereas there’s at the moment no public proof-of-concept (PoC) exploit, the energetic exploitation highlights the urgency for customers to take motion.
Patching and Mitigation
The excellent news is that patches can be found for this vulnerability. Zimbra has addressed the difficulty in ZCS model 10.0.7 and 9.0.0 Patch 39. Customers are strongly suggested to replace their Zimbra Collaboration Suite to those patched variations instantly to guard in opposition to potential assaults.
